RISK : ISSUES FOR BOARDS (MODULE 5)
1. Risk governance structure
2. Risk appetite
3. Structuring risk management #
4. Embedding risk into governance #
5. Supervising/Monitoring/Reporting #
7. Crisis management
8. Emerging risks
6. Risk and culture #
Set the Risk Appetite/Tolerance = amount of risk exposure the organisation is willing to pursue/tolerate to meet it's goals
- understand the purpose, values and strategy of the organisation
- why are the shareholders here and what is their appetite for risk
- what is the organisations capability
- understand the environment in which the org is operating
Whether as a formal or informal process, all organisations manage risk. As an organisational process, this can be separated into six separate activities:
- Understand the context.
- Identify risks and determine tolerances.
- Measure / quantify / assess risks.
- Make decisions on the management of risks.
- Monitor and report risks.
- Oversee, evaluate, assess and fine-tune the risk management process.
Specific Risk tolerances
Hazard Risk, Asset management, safety, environment, regulatory
Financial Risks
- Operational Risks
- Strategic Risk
- Unacceptable Risks
Different risks different appetite
Risk Register and Framework/Matrix - management of risk
- Consequence vs Likelihood
- Accepted risk vs Risk mitigation
Directors role
- Receive info
- Ask questions
- Make Decisions
How should the board and management be structured to provide appropriate risk management and risk oversight?
- Do we have an audit and risk committee or do we split it?
- Committee options
-- Full board, no commmittee
-- Audit and risk committee
-- Separate audit and risk committees
-- Relationship with other committees - Management options
-- executive committee
-- Chief Risk Officer
-- Use of internal Audit
-- Is the board comfortable, is the structure appropriate? - External assurance options - what is the 3rd party view of the internal risk and audit committee
Embed risk in all normal governance activities
- Board reporting
- Board papers
- Board calendar
(template for discussion, decision, noting as well as risk)
Top 6 risks to be added to the papers for discussion. Understand the strategy and risk
What quality of data do we want (qualitative and quantitative)
Ensure that the working risk management creates value
Takes human and culture into account
click to edit
- Risk appetite
- Risk mamnagement policy
- Risk management framework
- Risk register
- Risk profile
Organisational Culture
is the org culture aligned to the risk appetite of the organisation?
What do we need to have in place to align culture with risk policy?
- Ensure there is education
- Is communication of good and bad news encouraged?
- Is there a code of conduct?
- Is there a whistle-blower system in place?
- How are incentives structured?
- Do any policies drive unintended behaviour?
- Does leadership team 'lead by example?
Boards take a different role in times of crisis
Preparation for crisis is an investment in organisation resilience
Board’s responsibility for crisis management is part of its fiduciary duty.
Therefore, the board must ensure:
• Management has developed and implemented a robust risk management system.
• Management has developed crisis management / business-continuity plans and procedures (have we ever tested it)
The board’s specific role and responsibilities at a time of crisis will depend on the nature of the crisis.
The board can, for example:
• Support the CEO in managing the crisis.
• Use the board’s network of contacts to alleviate / remedy the crisis.
• Mentor the management team to overcome the issue(s) facing the organisation.
• Source external support for the management team.
Global uncertainty
Interdependence and contagion
Disruptive Innovation
Mass miration
Disruptive Technologies
Cyber security
Cloud computing
ESG reporting
Extreme weather events
VUCA - Volitility, Uncertainty, Complexity and Ambiguity
Social Media
Virtual and Augmented Reality